Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

first connexion and last connexion VPN

numeroinconnu12
Path Finder
‎03-05-2020 03:27 AM

Hello, this is my request

index=juniper_vpn ID=AUT24803
( src_user!=ANONYMOUSUSER*)
| eval src_user=upper(src_user)
| eval lmt=min(_time), date=max(_time)
| convert timeformat="%d/%m/%Y %H:%M:%S." ctime(lmt) AS lmt, ctime(date) AS date
| join type=left user [| inputlookup accounts.csv |search domaine="intra"| eval user=matricule ]
| join type=left ua [| inputlookup dirigeant.csv| eval ua=UA ]
| rename user as Utilisateur, cn as Nom, ua as UA, samaccountname as Dirigeant
| dedup Utilisateur
| rename src_user as Matricule
| stats count(Utilisateur) as "Total", list(Nom) as Nom, list(date) as fin_cnx, list(lmt) as debut_cnx, list(Matricule) as Matricule by UA
| table UA Nom Matricule debut_cnx fin_cnx Total
| sort UA
| addcoltotals labelfield=UA label="nombre total d'utilisateurs" Total

You can see my results in picture.
alt text

I'd like to have the start date of the connection in the "debut_cnx" column and the end date of the connection in the "fin_cnx" column. Can you help me please.

Preview file
1 KB
0 Karma
Reply

manjunathmeti
Champion
‎03-07-2020 10:23 PM

Hi @numeroinconnu123,

Try this:

index=juniper_vpn ID=AUT24803 ( src_user!=ANONYMOUSUSER*) | eval src_user=upper(src_user) | eval lmt=min(_time), date=max(_time) | convert timeformat="%d/%m/%Y %H:%M:%S." ctime(lmt) AS lmt, ctime(date) AS date | join type=left user [| inputlookup accounts.csv |search domaine="intra"| eval user=matricule ] | join type=left ua [| inputlookup dirigeant.csv| eval ua=UA ] | rename user as Utilisateur, cn as Nom, ua as UA, samaccountname as Dirigeant | dedup Utilisateur | rename src_user as Matricule | stats count(Utilisateur) as "Total", list(Nom) as Nom, list(date) as fin_cnx, list(lmt) as debut_cnx, list(Matricule) as Matricule, earliest(date) as start_fin_cmx, latest(lmt) as last_debut_cnx by UA | table UA Nom Matricule debut_cnx fin_cnx Total | sort UA | addcoltotals labelfield=UA label="nombre total d'utilisateurs" Total

If you want start_date and end_date common for all values in field UA then try this,

index=juniper_vpn ID=AUT24803 ( src_user!=ANONYMOUSUSER*) | eval src_user=upper(src_user) | eval lmt=min(_time), date=max(_time) | convert timeformat="%d/%m/%Y %H:%M:%S." ctime(lmt) AS lmt, ctime(date) AS date | join type=left user [| inputlookup accounts.csv |search domaine="intra"| eval user=matricule ] | join type=left ua [| inputlookup dirigeant.csv| eval ua=UA ] | rename user as Utilisateur, cn as Nom, ua as UA, samaccountname as Dirigeant | dedup Utilisateur | rename src_user as Matricule | stats count(Utilisateur) as "Total", list(Nom) as Nom, list(date) as fin_cnx, list(lmt) as debut_cnx, list(Matricule) as Matricule, earliest(date) as start_fin_cmx, latest(lmt) as last_debut_cnx by UA | table UA Nom Matricule debut_cnx fin_cnx Total | eventstats earliest(start_fin_cmx) as start_fin_cmx, latest(last_debut_cnx) as last_debut_cnx | sort UA | addcoltotals labelfield=UA label="nombre total d'utilisateurs" Total
0 Karma
Reply

to4kawa
Ultra Champion
‎03-07-2020 01:22 AM

The both "debut_cnx" and "fin_cnx" are same value.
In this picture,
debut_cnx: 04/03/2020 11:39:05
fin_cnx: 04/03/2020 18:37:56

Is this correct?

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...